[Bug 1798384] Re: Grub allows to load unsigned kernel even BIOS enabled secure boot
Tony Espy
1798384 at bugs.launchpad.net
Wed Nov 14 14:17:52 UTC 2018
Note it's possible to use grub2 configuration directives to lock down
privileged operations (such as access to the shell). The 'superusers'
and 'password*' directives can be used to require user auth before
certain operations. It even looks like it's possible to completely
disable these privileged operations by setting 'superusers' to an empty
string. For more information see:
https://www.gnu.org/software/grub/manual/grub/grub.html#Security
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to grub2 in Ubuntu.
https://bugs.launchpad.net/bugs/1798384
Title:
Grub allows to load unsigned kernel even BIOS enabled secure boot
Status in grub2 package in Ubuntu:
Incomplete
Bug description:
The grub 2.02 in bionic still has the insecure commands which "linux"
and "initrd", it allows to load unsigned kernel and initrd.
Even BIOS has forced the secure boot, when grub boot menu shows and
stay few seconds and it allows to enter to grub command-line by press
'c'. In the grub command-line, that's easy to load unsigned kernel by
'linux' and 'initrd' commands.
Suggest to remove the 'linux' and 'initrd' from grub commands list.
---
Reproduce steps:
1. Install an unsigned kernel
2. Enable secure boot from BIOS
3. Reboot system an boot normally to make sure unsigned kernel boot fails (grub.cfg loads kerenl by "linuxefi" and "initrdefi")
error: /boot/vmlinuz-4.15.0-1014 has invalied signature
error: you need to load the kernel first.
Press any key to continue...
4. After few seconds, system will back to grub menu. Now press 'c' to enter grub command line mode
5. Enter the following grub commands to load unsigned kernel and initrd and boot into unsigned kernel
grub> linux (hd0,gpt3)/boot/vmlinuz-4.15.0-1014
grub> initrd (hd0,gpt3)/boot/initrd.img-4.15.0-1014
grub> boot
Expect result:
Block the unsigned kernel to boot
Actual result:
Boot unsigned kernel successfully
---
ProblemType: Bug
.proc.sys.kernel.moksbstate_disabled: Error: [Errno 2] No such file or directory: '/proc/sys/kernel/moksbstate_disabled'
ApportVersion: 2.20.9-0ubuntu7.4
Architecture: amd64
DistroRelease: Ubuntu 18.04
EFITables:
Oct 18 06:31:42 dell-edge-iot kernel: efi: EFI v2.70 by American Megatrends
Oct 18 06:31:42 dell-edge-iot kernel: efi: ACPI 2.0=0x8b7e9000 ACPI=0x8b7e9000 SMBIOS=0xf0000 SMBIOS 3.0=0xf0020 ESRT=0x8bc4d118 MEMATTR=0x87951018
Oct 18 06:31:42 dell-edge-iot kernel: secureboot: Secure boot disabled
Oct 18 06:31:42 dell-edge-iot kernel: esrt: Reserving ESRT space from 0x000000008bc4d118 to 0x000000008bc4d150.
Package: shim-signed 1.37~18.04.2+15+1533136590.3beb971-0ubuntu1
PackageArchitecture: amd64
ProcVersionSignature: Ubuntu 4.15.0-1014.18-caracalla 4.15.18
Tags: bionic uec-images
Uname: Linux 4.15.0-1014-caracalla x86_64
UpgradeStatus: No upgrade log present (probably fresh install)
UserGroups: adm cdrom dip lxd plugdev sudo
_MarkForUpload: True
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1798384/+subscriptions
More information about the foundations-bugs
mailing list